coolmelife.com的弹出算卦网下载者

病毒名称:N/A(AVP)
病毒类型:下载者
加壳信息:N/A
编写语言:Borland Delphi 6.0 - 7.0
病毒来源:飞羽提供

病毒将会打开:
"http://www.coolmelife.com/ad/left.htm"
"http://www.coolmelife.com/ad/receive.htm"
"http://www.coolmelife.com/ad/right.htm"
并且采用此命令打开主页:explorer.exe http://www.coolmelife.com
病毒将从以下地址下载病毒文件:
http://www.coolmelife.com/download/Project1.exe
http://www.coolmelife.com/download/Project2.exe
http://www.coolmelife.com/download/a.dll
http://www.coolmelife.com/download/b.dll
http://www.coolmelife.com/download/srv.exe      (其实是个网页...)

病毒将生成以下文件:
%windir%\system32\AutoCML.exe    418KB   
%windir%\system32\misser.exe    449KB    
%windir%\system32\npcdll.DLL    15KB    
%windir%\system32\NPMIS.EXE    446KB    
%windir%\system32\MicKon.Dll    15KB    
%windir%\system32\drivers\NHDLL.DLL 15KB   
%windir%\system32\drivers\vplose.exe 446KB   
%windir%\system32\wbem\svchost.exe 443KB   
%windir%\system32\usmt\mig_hy.bk 443KB  
%userprofile%\Local Settings\Temporary Internet Files\Content.IE5\89S9EFUZ\srv[1].exe 418KB
%userprofile%\Local Settings\Temporary Internet Files\Content.IE5\89S9EFUZ\Project1[1].exe 443KB
%userprofile%\Local Settings\Temporary Internet Files\Content.IE5\216ZG9CT\a[1].dll 15KB
%userprofile%\Local Settings\Temporary Internet Files\Content.IE5\216ZG9CT\Project2[1].exe 76KB
%userprofile%\Local Settings\Temporary Internet Files\Content.IE5\216ZG9CT\b[2].dll 15KB
添加注册表项:
HKEY_USERS\S-1-5-21-1482476501-1993962763-842925246-500\Software\Microsoft\Windows\ShellNoRoam\MUICache C:\WINDOWS\system32\wbem\svchost.exe "Generic Host Process for Win32 Service"
HKEY_USERS\S-1-5-21-1482476501-1993962763-842925246-500\Software\Microsoft\Windows\ShellNoRoam\MUICache C:\WINDOWS\system32\misser.exe "Microsoft(R) Connection Manager"
HKEY_USERS\S-1-5-21-1482476501-1993962763-842925246-500\Software\Microsoft\Windows\ShellNoRoam\MUICache E:\InstallWatch Pro\Micnbio.exe "Microsoft(R) Connection Manager"
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache C:\WINDOWS\system32\wbem\svchost.exe "Generic Host Process for Win32 Service"
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache C:\WINDOWS\system32\misser.exe "Microsoft(R) Connection Manager"
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache E:\InstallWatch Pro\Micnbio.exe "Microsoft(R) Connection Manager"

解决方案:
1.使用Icesword强行删除一下文件:
%windir%\system32\AutoCML.exe
%windir%\system32\misser.exe
%windir%\system32\npcdll.DLL
%windir%\system32\NPMIS.EXE
%windir%\system32\MicKon.Dll
%windir%\system32\drivers\NHDLL.DLL
%windir%\system32\drivers\vplose.exe
%windir%\system32\wbem\svchost.exe
%windir%\system32\usmt\mig_hy.bk
2.清空IE临时文件夹:
IE图标上点右键选择属性→Internet 属性→Internet 临时文件→单击"删除文件"
3.删除以下注册表项:
HKEY_USERS\S-1-5-21-1482476501-1993962763-842925246-500\Software\Microsoft\Windows\ShellNoRoam\MUICache C:\WINDOWS\system32\wbem\svchost.exe "Generic Host Process for Win32 Service"
HKEY_USERS\S-1-5-21-1482476501-1993962763-842925246-500\Software\Microsoft\Windows\ShellNoRoam\MUICache C:\WINDOWS\system32\misser.exe "Microsoft(R) Connection Manager"
HKEY_USERS\S-1-5-21-1482476501-1993962763-842925246-500\Software\Microsoft\Windows\ShellNoRoam\MUICache E:\InstallWatch Pro\Micnbio.exe "Microsoft(R) Connection Manager"
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache C:\WINDOWS\system32\wbem\svchost.exe "Generic Host Process for Win32 Service"
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache C:\WINDOWS\system32\misser.exe "Microsoft(R) Connection Manager"
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache E:\InstallWatch Pro\Micnbio.exe "Microsoft(R) Connection Manager"
重启一下即可...